all

2024-04-21 14:42:52 +02:00
parent 4b69674ede
commit 8a25f53c99
10700 changed files with 55767 additions and 14201 deletions
--- a/SFU/app/src/XSS.js
+++ b/SFU/app/src/XSS.js
@ -0,0 +1,66 @@
+'use strict';
+
+const xss = require('xss');
+const Logger = require('./Logger');
+const log = new Logger('Xss');
+
+const checkXSS = (dataObject) => {
+    try {
+        if (Array.isArray(dataObject)) {
+            if (Object.keys(dataObject).length > 0 && typeof dataObject[0] === 'object') {
+                dataObject.forEach((obj) => {
+                    for (const key in obj) {
+                        if (obj.hasOwnProperty(key)) {
+                            let objectJson = objectToJSONString(obj[key]);
+                            if (objectJson) {
+                                let jsonString = xss(objectJson);
+                                let jsonObject = JSONStringToObject(jsonString);
+                                if (jsonObject) {
+                                    obj[key] = jsonObject;
+                                }
+                            }
+                        }
+                    }
+                });
+                log.debug('XSS Array of Object sanitization done');
+                return dataObject;
+            }
+        } else if (typeof dataObject === 'object') {
+            let objectJson = objectToJSONString(dataObject);
+            if (objectJson) {
+                let jsonString = xss(objectJson);
+                let jsonObject = JSONStringToObject(jsonString);
+                if (jsonObject) {
+                    log.debug('XSS Object sanitization done');
+                    return jsonObject;
+                }
+            }
+        } else if (typeof dataObject === 'string' || dataObject instanceof String) {
+            log.debug('XSS String sanitization done');
+            return xss(dataObject);
+        }
+        log.warn('XSS not sanitized', dataObject);
+        return dataObject;
+    } catch (error) {
+        log.error('XSS error', { data: dataObject, error: error });
+        return dataObject;
+    }
+};
+
+function objectToJSONString(dataObject) {
+    try {
+        return JSON.stringify(dataObject);
+    } catch (error) {
+        return false;
+    }
+}
+
+function JSONStringToObject(jsonString) {
+    try {
+        return JSON.parse(jsonString);
+    } catch (error) {
+        return false;
+    }
+}
+
+module.exports = checkXSS;